Jose Nazario analyzes the Skunkx DDoS Bot
Lest you think all of the DDoS bots we focus on come only from China, we found one that appears to be from the US. We’re calling this bot “Skunkx”. We have not yet seen the bot’s attacks in the wild, however, and so we do not know its favored victim profiles. We also do not know how big this botnet is at this time.
The bot’s capabilities include:
Perform DDoS attacks: UDP floods, SYN floods, HTTP floods, and Slowloris attacks
Detect some analyst tools (Commview, TCPView, and Wireshark) and platforms (QEMU, VMWare, VirtualPC)
Spread over USB, MSN, YahooMessenger
“Visit” sites, speedtest
Download and install, update, and remove arbitrary software
Detect and stop DDoSer, Blackshades, Metus and IRC bots on the box; it apparently can speak “DDoSer” too
Spread as a torrent file
Steal logins stored in the SQLite DB by Mozilla
We have not seen source or the control panel of the bot. The author appears to like the “JoinVPS” service, however. His servers that he has used go back to “Net-0x2a: Zharkov Mukola Mukolayovuch” in the Ukraine, and also “PIRADIUS” in Malaysia. This is someone familiar with underground hosting, it seems.
